FCRA & Mobile Apps: A Word of Warning

To our knowledge, there’s no app yet that tells people when the FTC staff has sent warning letters discussing how the Fair Credit Reporting Act operates in the world of mobile applications. But the way the app market is growing, some savvy developer will have one out by the time you finish this. In the meantime, read on.

Some FCRA basics: A company is a “consumer reporting agency” under the FCRA if it assembles or evaluates consumer report information for the purpose of providing consumer reports to third parties. Consumer reports include info that relates to a person’s character, reputation, or personal characteristics. They’re typically used — or are expected to be used — for employment, housing, credit, or the like.

For example, say a company provides employers with information it assembles or evaluates about the criminal history of an employee or job applicant. Because the information involves someone’s character, reputation, or other personal characteristics, the company is acting as a consumer reporting agency and the FCRA kicks in.

The law is clear that consumer reporting agencies have to take reasonable steps to ensure the maximum possible accuracy of what’s in the reports. They also have to provide those who use the reports with how-tos about complying with the FCRA. So if an employer gets reports for employment purposes, the credit reporting agency has to give the employer information about their obligation to provide an employee or job applicant with notice of any adverse action taken on the basis of the report. The consumer reporting company also has to tell employers about their obligation to notify the person of their right to get a copy of the report and to a free re-investigation of information the person thinks is in error.

Which brings us back to mobile apps. The letters sent by FTC staff tell developers of six apps that it looks like their products involve background screening reports that include information about criminal histories. That’s info employers are likely to use when screening job applicants. As the letter says, “If you have reason to believe that your reports are being used for employment or other FCRA purposes, you and your customers who are using the reports for such purposes must comply with the FCRA.” (There’s a footnote to that sentence — We’re lawyers. You always have to read the footnotes — that mentions that the FCRA governs the potential use of reports for other things like tenant screening or determining eligibility for credit or insurance.)

But what if the app developer has a disclaimer on its site saying that reports shouldn’t be used for employment or other FCRA purposes? Disclaimer or not, the FCRA would still apply, according to the warning letters. How would the FTC staff determine if a company has reason to believe the app is used for purposes that trigger the FCRA? It’s a fact-specific inquiry and the letter makes clear the staff hasn’t concluded whether the app companies have violated the law. But “we encourage you to review your mobile application and your policies and procedures for compliance with the FCRA.”

Three key points to take from the letters:

If you sell mobile apps like this, read the “you” in that last sentence to apply to your company. When it comes to your FCRA policies and procedures, now’s the time for a compliance double-check.

The same holds true if your business uses mobile apps like this. Make sure you’re honoring your obligations under the FCRA.

What if your work doesn’t involve the FCRA? You’ve come this far, so there’s a nugget for you, too: “App law” may be a developing area, but savvy businesses take it as a given that well-settled consumer protection principles carry forward as transactions go mobile.

Add new comment

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.